EEVblog Electronics Community Forum
Products => Test Equipment => Topic started by: Fungus on August 31, 2018, 06:06:03 pm
-
Latest unlocking instructions are in this post:
https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg4066828/#msg4066828)
-
plus a video will be great.
start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
-
Ian posted the most concise instructions for the bandwidth upgrade in that thread:
1. Update with the OS update with the known root password.
2. telnet to the scope, and log in as root.
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
I don't think there has been a definitive consensus on unlocking the other options without option codes?
-
plus a video will be great.
start from here from what i observe.
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1612639/#msg1612639)
Yep like that and similar for SSA too.(mentioned in SSA hack thread)
There are other/better ways too. :-X
-
Ian posted the most concise instructions for the bandwidth upgrade in that thread:
1. Update with the OS update with the known root password.
a) Which you get.... where?
b) How do you install it?
2. telnet to the scope, and log in as root.
a) Telnet port #?
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.
To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)
I don't think there has been a definitive consensus on unlocking the other options without option codes?
You mean the "software" part of the AWG, MSO and WiFi options?
-
Here was my process
1.) Format a USB flash drive to FAT32
2.) Load the flash drive with the SDS1004X-E Firmware (4-Channel Model) - 6.1.25R2 (Release Date 06.29.18) by downloading it from the Siglent website (https://www.siglentamerica.com/download/6422/) and unzipping it onto the flashdrive.
3.) Once the file is loaded, install the firmware onto the oscilloscope by following the instructions in the PDF included in the firmware zip file. Verify the correct firmware version is installed using the menus within the Utility button, and take note of the model number (should read SDS1104X-E)
4.) Once the firmware has been installed on the scope, reformat the flash drive to FAT32 and unzip the SDS1004X-E Operating System-V1 (Only For 4-Channel ) (Release Date 06.26.18) after downloading it from the Siglent website (https://www.siglentamerica.com/download/6158/).
5.) Install the software update onto the oscilloscope by following the instructions in the PDF included in the firmware zip file. Reboot the scope and verify the correct software version is installed using the menus within the Utility button.
6.) Download the custom operating system file (https://www45.zippyshare.com/v/SEUJEWE1/file.html) that possesses the known telnet password. Unzip it onto a USB drive and install it just as you installed the stock software file from the Siglent website. NOTE: Some computers do not correctly load the software file onto the USB drive, thus preventing the scope from updating from the stock software to the custom software. I have experienced this problem personally. If this occurs, try loading it onto the USB from a different computer. I had success using a Raspberry Pi to load the custom software onto the USB.
7.) After installing the custom software, plug the oscilloscope into your router with an ethernet cable, and telnet into the scope on port 23 using the known password.
8.) Once in the scope via telnet, execute the following commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
9.) Reboot the scope, and verify that the model number displayed in the Utility button menus has been updated to show an SDS1204X-E
Now the scope should have 200MHz bandwidth. I have verified that mine possesses this bandwidth using a very reliable, stable signal generator (Fluke 6061A)
EDIT: Thanks ian.ameline for the link to a download source for the custom software. I have updated step 6 with this information.
-
The OS with the known password can be found here; https://www45.zippyshare.com/v/SEUJEWE1/file.html
The instructions above are accurate.
-
Ian posted the most concise instructions for the bandwidth upgrade in that thread:
1. Update with the OS update with the known root password.
a) Which you get.... where?
b) How do you install it?
2. telnet to the scope, and log in as root.
a) Telnet port #?
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
Is that definitively all it takes? I've read a few places that there's some weird aliasing at high frequencies that isn't in the real 200Mhz version of the 'scope, that maybe something else needs tweaking.
To me it seems weird that you'd hide the bandwidth.txt file instead of modifying it (if I were a Siglent firmware writer I'd default to low bandwidth when the file is missing)
I don't think there has been a definitive consensus on unlocking the other options without option codes?
You mean the "software" part of the AWG, MSO and WiFi options?
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.
- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
-
Does this work for the SDS1102X ?
Presumably it would need different hacked software?
-
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
Nice attitude.
Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).
- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.
Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.
Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.
If it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.
Food for thought, yes?
- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:
(and what happens when Siglent removes that old firmware from their web site?)
PS: Nowhere near as easy as a Rigol (neener neener).
-
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
4. Reboot
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
I'm, not at all linux expert (far away) so I can not my self think when it is important exactly and when not, so I use it nearly always. In some cases it is extremely important, in some cases perhaps not so important and always we can try walk with just trusting good luck.
3. Execute these commands:
mount -o remount,rw ubi2_0 /usr/bin/siglent/firmdata0
cd /usr/bin/siglent/firmdata0
mv bandwidth.txt bandwidth.bak
sync
4. Reboot
Perhaps some who really know could take position to this with reasoning.
-
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.
(take note, ian.ameline).
-
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.
(take note, ian.ameline).
Just because this bolded...
-
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
Nice attitude.
Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15. L=23
-
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15. L=23
I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
-
If some scope manufacturer do not follow RFC854 about Telnet protocol it is they own problem.
It is clearly stated in RFC854 page 15. L=23
I don't think "RTFM!" should be used in a "step by step" guide - this is the FM.
Yes, and if this FM would not mention port, then obviously, the less than experienced user would not write it in the command either, so the command ends up using the default port, which thus works. A more experienced user would already know that if the port is the default, it is typically left out from instructions, (and that if it is not default, it is shown). Thus, the earlier version without the port number was quite sufficient, and this nitpicking about port number is just that, useless nitpicking.
Otherwise :-+, points for making the push to get those instructions done clearly in one place, instead of the typical spread of bits and pieces in here and there over 3 threads and 10 pages among all the other messages. Certainly makes it easier than before.
-
Sometimes it is easy forget that not all peoples have used telnet at 80's ;)
So it is perhaps good to tell (but also most of good telnet client do it as default, as example many times recommended PuTTY or just plain puttytel.exe (a Telnet-only client) )
-
http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)
If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.
There -- now my attitude is clear.
- You install the OS just like you'd install the one you got from SIGLENT -- just follow their instructions
- The telnet port is the default one telnet uses -- just telnet to the ip address of the scope.
Nice attitude.
Other 'scopes have different ports, I just want the port used by Siglent to be written down clearly (which you've failed to achieve).
- Yes, that is all it takes. Others have confirmed that the bandwidth is increased.
Nobody's doubting the bandwidth increases but some people claim to have noticed weird aliasing (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1624537/#msg1624537) or that the capacitors (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613386/#msg1613386) are different.
Those problems might be just the probes (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1619152/#msg1619152). It's reasonably well known that cheap-ass probes start to go to hell around 250MHz and one of the differences between the two models is that you get much better probes with the 200MHz version.
It it is the probes then a new set of probes should probably be thrown into the upgrade mix, that puts the price of the "hacked" version up by $100.
Food for thought, yes?
- It looks to me like the scope is deliberately designed to be hackable. It would be very easy for it to have been much harder. It is not. It is *very* easy.
How do you explain the fact that the 'scope is only eight months old but you already need to download old firmwares to be able to do it, that newer firmwares don't work? What happens if Siglent decides to encrypt that file and make it default to 50Mhz when it's missing? It is *very* easy to make it much harder. :popcorn:
(and what happens when Siglent removes that old firmware from their web site?)
PS: Nowhere near as easy as a Rigol (neener neener).
What if purple monkeys fly out of my ass? What if, what if, what if.
You asked for the hack -- we gave it to you. Now you complain. Again, you probably should take up golf instead.
Cheers...
-
Even when this particular case do not need but with bit expensive way in history I have learned that after editing it is good practice to use sync command before shut down.
Linux knows how to do a sync before a soft reboot but the word "reboot" is ambiguous, yes. Some people might power-cycle it instead of typing "shutdown -r" at the command line.
(take note, ian.ameline).
Good point -- I tend to assume people around here who poke around with electrons aren't lazy idiots, and research perhaps even a little background knowledge before poking their meat-probes at things they may have little experience with -- clearly an unexamined assumption -- google must be too hard to use.
But in the case here, buffers are flushed pretty quickly -- you'd need to power cycle within milliseconds to have a problem, and even then, you'd have to get really unlucky (in a microsecond wide window) to get an inconsistent state in the flash. I doubt you could make it happen by trying.
-
http://lmgtfy.com/?q=default+telnet+port (http://lmgtfy.com/?q=default+telnet+port)
If you're too lazy to use google, I really don't know how to respond. You may have chosen the wrong hobby if you expect someone else to do all the work for you.
Um, the question was whether Siglent uses the standard port, not if I (or somebody who doesn't spend their lives using green-screen Linux) can google what the standard port is.
There -- now my attitude is clear.
Crystal.
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
Why lazy people should be fed.
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
Let's just say that if you are a regular eevblog reader, you are typing the password every day.
As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.
-
As regards the concern that you are restricted to using the outdated firmware to perform the bandwidth upgrade, it is possible to modify any firmware revision yourself and insert your own custom password. You can follow the posts by janekivi & tv84 in the Siglent .ads file thread where the process is described in detail.
I'm more worried that in the future the 'scope might not default to 200Mhz when the bandwidth.txt file is missing.
(eg. it could just as easily default to 50MHz... :popcorn: )
-
Although I disagree with the way the OP has been conducting this process, I would like to add my 2 cents to the benefit of the whole forum:
All must realize that the method described previously (removing the bandwidth.txt) triggers the activation of the PRO_MODE in the scope (which is the "Production Mode"). This mode enables all the Options and the BW to the max possible.
This mode can, in fact, be easily disabled in future FW versions and/or Siglent can change it to trigger the activation of the lowest BW instead of the highest. Maybe they use the highest precisely to evaluate the full potential of the equipment before leaving factory...
The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.
I leave a small "easter egg" attached that does the following:
sync
mount -o sync,rw,remount /usr/bin/siglent/firmdata0/
sync
mv /usr/bin/siglent/firmdata0/bandwidth.txt /usr/bin/siglent/firmdata0/bandwidth.bak
sync
mount -o sync,ro,remount /usr/bin/siglent/firmdata0/
sync
which means it replaces all the steps described previously in this thread without the need to change FS root password, etc.
Execute it as a normal update. It should be run after the scope is running and you should reboot after. For security reasons it won't overwrite any existing bandwidth.bak so that you can keep the original (in case people run it multiple times).
-
This is an unofficial guide on how to unlock 200Mhz bandwidth on SDS1104X-E oscilloscopes, effectively turning them into SDS1204X-Es....................
Warning: The PP510 (https://store.siglentamerica.com/product/pp510-1000-mhz-oscilloscope-probe/) probes that are supplied with the SDS1104X-E are 100MHz probes. If you intend to make use of the 200Mhz bandwidth then you need to spend an extra $100 and get a set of real 200Mhz probes, eg. the PP215 (https://store.siglentamerica.com/product/pb215-150-mhz-oscilloscope-probe/) probes that are supplied with the SDS1204X-E.
If you don't do this then you won't have 200MHz bandwidth and you may get misleading readings on screen. You have been warned.
Scaremongering BS ! :bullshit:
Some ppls just don't/won't do their homework ! ::)
Or don't have a clue. :-//
It is clearly seen PP510 and PP215 probe performance combined with scope performance is well within system specification !
(https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/?action=dlattach;attach=397963)
From this post:
https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665 (https://www.eevblog.com/forum/testgear/siglent-sds1104x-e-in-depth-review/msg1434665/#msg1434665)
-
Next question: When people say "the one with the known root password", what would that password be?
(I think we have to assume that not everybody will "know" it)
Then this not for those everybody.
"If you don't know the password, you are not qualified to hack your equipment!"
Password is our signature and made for us only. We don't speak about it loud everywhere.
You must be one of us. If you are, you have been here and you know things. If not...
you are not qualified to hack your equipment.
And even if strangers outside can use them, they can't spread them without our mark.
If this is too much asked and you just need all options and bandwidth, buy them!
-
By the way, those "ZippyShare" links are not working at all for me (in my region). Don't know if I need VPN for this or not. If someone can provide me the file, I can try to put on another shared folder for plp with my issue... Thanks!
-
The activation using the official licenses as described by me in the Siglent .ADS thread is more future proof (and can also be used in other equipments). Of course, if you end up just discovering the lower BW licenses, then you can reinsert the original bandwidth.txt.
Okay, I'm attempting to follow this alternative path to unlock my brand new 1104X-E (delivered w/ 7.1.6.1.25R2) and I've encountered a problem/questions.
I loaded SS1004X-E_OSV1_EN_eevblog on a thumbdrive, and uploaded my scope.
I logged in via telnet, and executed the following:
cd /usr/bin/siglent/usr/mass_storage/U-disk0
cat /dev/mem > memdump.bin
this yields an error:
cat: read error: Bad address
the resulting file:
/usr/bin/siglent/usr/mass_storage/U-disk0 # ls -l memdump.bin
-rwxr-xr-x 1 root root 251658240 Jan 1 00:22 memdump.bin
so I end up w/ a file 240MB in size (240*1024*1024)
yielding the question
(1) "is this expected?" (e.g. both the error, and the resulting file size.)
If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So
(2) does anyone know what the license codes actually look like (e.g. should they be hexadecimal only? or can they include non-hex alphanumerics?)
(3) should I be attempting to enter the codes at this point, or should I be doing something else before I attempt it (e.g. perform a different update, etc.) and THEN try the codes?
Thanks,
Vin
-
1. :-+
2. See my example.
3. Try codes.
-
Of the 90+ sets of upper or lowercase characters/digits, only 6 appear to be random -- the remaining contain English words, which makes me believe they are part of the OS.
The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.
I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)
-
If I take that file, and run it through the license code detector C# app, I get ~100 unique strings. Most of them look like regular text strings (e.g. ' 6cachingiterator'), others -- about 6 -- look like random strings (FTKW-UZFD-7PKY-D5MK and b4fa-cf7d-5c37-c2df). I tried plugging in those 6 random strings into the license manager (Options->Install) but I get a "data is invalid" error. So
Any chance you could share how you run the memdump.bin in the C# script?
Thank you :-)
-
The remaining 6, I attempted to install through the scopes panel -- I attempted each code for each option (MSO, Wifi, AWG) and each time I receive "The data is invalid", which leads me to suspect the output generated from the C# code does not contain any licensing codes.
But they could be BW licenses... ;)
I suppose I could print out a hex dump of the bin file and look for strings by hand, to see if there are keys missed by the C# code.... the PDF created by winhex is only 91,301 pages long :)
You're getting there! If you carefully RTFM it suggests: "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."
-
Any chance you could share how you run the memdump.bin in the C# script?
:wtf: Have you even looked at the script?
byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");
-
Any chance you could share how you run the memdump.bin in the C# script?
:wtf: Have you even looked at the script?
byte[] buffer = System.IO.File.ReadAllBytes(@"memdump.bin");
Of course I have looked at the the script :-) I am not a programmer apart from some arduino stuff. I am sorry.
-
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace TestApp
{
class Program
{
static void Main(string[] args)
{
byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");
for (int j = 0, l = 0; j < 2; j++, l += 0x20)
for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
buffer[i] != ('L' + l) &&
buffer[i] != ('O' + l))
{
if (strSize == 16)
Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
strSize = 0;
strStart = i + 1;
}
else strSize++;
Console.ReadKey();
}
}
change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.
-
If you carefully RTFM it suggests: "the most probable thing happening is that the text is concatenated with some other string/license! I leave that as homework. First, inspect both halfs of 32-char size strings..."
I did see this, but I'm having a difficult time grokking exactly what you mean.
Assuming I have the following:
0819ABBB 8ki7-axhk-yilk-bdgy
0819ABDB 8ki7-axhk-yilk-bdgy
0819ABFB 8ki7-axhk-yilk-bdgy
I interpreted the clause as meaning I should try "yilk-bggy-8ki7-axkh' in addition (which didn't work).
I also tried "axhk-yilk-bdgy-8ki7" and "bdgy-8ki7-axhk-yilk" without success.
Or, should I be trying all combinations, e.g. ki7a-..., i7ax..., 7axh..., shifting each character at a time, like a rotate w/ carry?
Is there an easier way to try license codes, other than keying them in though the intensity/adjust/select dial (e.g. through the telnet interface?)
-
download/install visual studio community edition, and then cut/paste the code into a Win32 console application:
using System;
using System.IO;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace TestApp
{
class Program
{
static void Main(string[] args)
{
byte[] buffer = System.IO.File.ReadAllBytes(@"G:\memdump.bin");
for (int j = 0, l = 0; j < 2; j++, l += 0x20)
for (int i = 0, strStart = 0, strSize = 0; i < buffer.Length; i++)
if ( ((buffer[i] < '2') || (buffer[i] > '9')) &&
((buffer[i] < 'A' + l) || (buffer[i] > 'Z' + l)) &&
buffer[i] != ('L' + l) &&
buffer[i] != ('O' + l))
{
if (strSize == 16)
Console.WriteLine("{0:X8} - {1}", strStart, Encoding.UTF8.GetString(buffer, strStart, strSize));
strSize = 0;
strStart = i + 1;
}
else strSize++;
Console.ReadKey();
}
}
change hard-coded filename if you like, or, perhaps, modify code to use args[1] compile and run.
Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help 8)
-
Thank you very much, managed to get the memory dump processed, and found some interesting things with some (a lot of) help 8)
For some real fun, check out these GitHub repositories:
https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys
Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)
-
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)
Skill level: Easy/Moderate
Risk: Slim to none.
Assumptions: You know the root password to your scope.
Steps:
1. download full armv7l version of busybox which has core dump enabled.
see: https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l
2. put version on thumb disk
3. reboot scope to known state
4. telnet to scope and log in as root
5. insert usb stick
6. copy busybox binary from usb to /tmp:
cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp
7. unmount and remove usb
umount /usr/bin/siglent/usr/mass_storage/U-disk0
(and then remove usb stick)
8. identify and kill existing sds1000b.app
ps -ef | grep sds | awk '{printf "kill -9 %s\n", $1}' | ash
9. change to /tmp directory:
cd /tmp
10. launch new busybox ash shell
/tmp/busybox_armv7l ash
(when you press enter it looks like nothing happens, but something does)
11. re-launch scope app in new busybox environment in background
/usr/bin/siglent/sds1000b.app &
12. increase core dump ulimit to unlimited:
ulimit -c unlimited
you can verify new limit by typing
ulimit -c
and you should get a response "unlimited"
12. kill scope app again, telling OS to create a core dump of the app:
ps -ef | grep sds | awk '{printf "kill -ABRT %s\n", $1}' | ash
13. wait a few seconds, and press enter once or twice. you should see:
[1]+ Aborted (core dumped) /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3
14. verify core dump is in /tmp:
ls /tmp/core*
you should see something like this:
-rw------- 1 root root 377511936 Jan 1 00:14 /tmp/core
if not, you did something wrong, go to step #3
15. exit out of usb version of busybox shell
exit
(it will look like nothing happens when you press enter, but, something does)
16. re-launch Siglent scope application. See Step #11
17. insert usb drive
18. copy core dump to thumb drive
cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)
19. unmount usb stick and remove (see step #7)
20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.
21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.
22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.
23. You can license a different bandwidth by typing MCBD (license key) at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.
24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.
25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.
26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.
27. Write keys down in a safe place so you do not lose them again.
-
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course).
...
27. Write keys down in a safe place so you do not lose them again.
I promise I won't lose my keys again. ;D
-
Thanks for all the info posted here and in the firmware thread. The sample code really helped show me where in the memory dump to look for things and how they are stored. I can see patterns related to the restored keys location and surrounding data, hoping to make sense of it and then make the key backup better/easier.
Some tips...
1) A simple memdump is all you need to grab for trying to backup your keys. (In my case I didnt have to do a coredump)
2) The FindKeys/TryKeys code works very well.
3) Backup the whole "siglent" folder to your USB stick just in case.
I got sidetracked and started digging into the firmware files.
The webserver is very interesting, its lighthttpd with php 5.
They made a custom c module (.so) to handle communicating between the web front end and the hardware. AJAX scpi commands + more is possible.
Did you know, to change from english to chinese they do a file copy/move of php files around ? interesting.
The visual is via a custom/modified VNC server with websockets support. On the client its using the noVNC library, which for some reason has a quicker refresh rate and much faster updates than a real vnc client.
-
I posted this in the general SDS1104/1204X-E thread, but was directed here. If you have a memory dump from their SDS1000X-E and want to parse it for keys, the Python function to do it. It works with all dumps from my oscilloscope (1104X-E), but I only have the one. It'd be great to hear if it works for others.
import re
import string
def getkeys(scopeid, serialno, memdumpfile):
"""
Parse a memory dump from a Siglent 1000X-E oscilloscope and return a dict containing
license keys for bandwidths and options. The 'activebw' key is the one that is currently
active in the 'scope (e.g. if the value of '100M' is the same as the value of 'activebw',
the oscilloscope is software locked to 100 MHz bandwidth)
"""
if len(scopeid) == 16 and set(scopeid) <= set(string.hexdigits):
scopeid = scopeid.lower().encode('utf-8')
else:
raise ValueError('Scope ID must be 16 hexadecimal characters (remove dashes).')
if len(serialno) == 14 and set(serialno) <= set(string.ascii_letters + string.digits):
serialno = serialno.upper().encode('utf-8')
else:
raise ValueError('Serial number must be 14 alphanumeric characters.')
f = open(memdumpfile, 'rb')
data = f.read()
f.close()
regex_bw = re.compile(scopeid + b'.*?'+ scopeid + b'.*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16}).*?([0-9A-Z]{16})', re.DOTALL)
regex_opt = re.compile(serialno + b'.*?' + serialno + b'.*?([0-9A-Z]{48})', re.DOTALL)
key_bw = list([n.decode('utf-8') for n in re.findall(regex_bw, data)[0]])
key_opt = re.findall('.{16}', re.findall(regex_opt, data)[0].decode('utf-8'))
keys = {}
key_labels = ('100M', '200M', '50M', '70M', 'activebw', 'awg', 'wifi', 'mso')
keys.update(zip(key_labels, key_bw + key_opt))
return(keys)
As nicolasg posted, a simple cat /dev/mem worked well for me - I didn't need to trigger a core dump.
-
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?
thanks ! ;D
-
Thanks for this guys, VT100s guide has a few typos, but worked well.
-
Hello, i have a simple question last month i've updated to SDS1004X-E Firmware (4-Channel Model)- 6.1.26 (Release Date 09.26.18 ) do I have to downgrade to 6.1.25R2 before the unlock ?
thanks ! ;D
No.
-
Thanks for this guys, VT100s guide has a few typos, but worked well.
if you email me the typos I can update so things are correct. sometimes my brain and hands work at different speeds so what I am thinking and what comes out on the screen are two different things.
-
This process will obtain your license keys from a core dump of the scope application itself, in case you lost the paperwork after you purchased them (of course). No "guessing games" like the other software posted (although it was a fun intellectual exercise!)
Skill level: Easy/Moderate
Risk: Slim to none.
Assumptions: You know the root password to your scope.
Steps:
1. download full armv7l version of busybox which has core dump enabled.
see: [url]https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l[/url]
2. put version on thumb disk
3. reboot scope to known state
4. telnet to scope and log in as root
5. insert usb stick
6. copy busybox binary from usb to /tmp:
cp /usr/bin/siglent/usr/mass_storage0/U-disk/busybox-armv7l /tmp
7. unmount and remove usb
umount /usr/bin/siglent/usr/mass_storage/U-disk0
(and then remove usb stick)
8. identify and kill existing sds1000b.app
ps -ef | grep sds | awk '{printf "kill -9 %s\n", $1}' | ash
9. change to /tmp directory:
cd /tmp
10. launch new busybox ash shell
/tmp/busybox_armv7l ash
(when you press enter it looks like nothing happens, but something does)
11. re-launch scope app in new busybox environment in background
/usr/bin/siglent/sds1000b.app &
12. increase core dump ulimit to unlimited:
ulimit -c unlimited
you can verify new limit by typing
ulimit -c
and you should get a response "unlimited"
12. kill scope app again, telling OS to create a core dump of the app:
ps -ef | grep sds | awk '{printf "kill -ABRT %s\n", $1}' | ash
13. wait a few seconds, and press enter once or twice. you should see:
[1]+ Aborted (core dumped) /usr/bin/siglent/sds1000b.app
if you do not, you did something wrong, go to step #3
14. verify core dump is in /tmp:
ls /tmp/core*
you should see something like this:
-rw------- 1 root root 377511936 Jan 1 00:14 /tmp/core
if not, you did something wrong, go to step #3
15. exit out of usb version of busybox shell
exit
(it will look like nothing happens when you press enter, but, something does)
16. re-launch Siglent scope application. See Step #11
17. insert usb drive
18. copy core dump to thumb drive
cp core /usr/bin/siglent/usr/mass_storage/U-disk0/coredump.bin
(this will take a minute or two, its a big file)
19. unmount usb stick and remove (see step #7)
20. Insert USB stick on Windows/Mac/Linux and open the coredump.bin file in your favorite hex editor.
21. Search for string "SDS1000X-E". Keep searching until you find the string next to either your scopeid (if you do not know your scope id, you can get it using the SCPI SCOPEID? command thru the web interface) or your serial number.
22. When you locate the entry with your scope ID, you will see a series of 5 16-character strings below it (one will look like a 32 character string, split it into half so you have two 16-character strings. These are your 100, 200, 50 and 70 mhz license keys, respectively. The one that appears twice is the license key your scope is currently licensed under.
23. You can license a different bandwidth by typing MCBD (license key) at the scope's SCPI web interface. It is necessary to reboot after you do this for everything to reset and take effect. You can verify the bandwidth by typing PRBD? through the SCPI web interface.
24. When you locate the entry with your serial number, you will see a series of (at least) 3 16-character strings. If you have any options already licensed, those keys will appear twice. if you have no options licensed, they only appear once. The keys are, respectively, AWG, WIFI and MSO.
25. You can license any options through the scope's SCPI interface using LCISL (option),(key) where (option) is AWG, WIFI or MSO and (key) is the 16-character key.
26. after doing so, even though the options are immediately licensed and active, I recommend a reboot for the new options to take effect.
27. Write keys down in a safe place so you do not lose them again.
So it looks like the coredump utility of the ARM7L busybox file you linked us has not been enabled (at least according to the log file on that website). Does anyone have a compiled version of busybox with coredump enabled?
-
The linked version did dump for me, I just had to kill it 3 times, third time worked.
-
Which kill worked the third time? The first process kill or the second one after BusyBox was running? What was the procedure that worked for you?
-
For some real fun, check out these GitHub repositories:
https://github.com/Siglent/FindKeys
https://github.com/Siglent/TryKeys
Purely for educational purposes only. User is expected to comply with all applicable state, county, federal and international laws :)
This is almost awesome and almost worked swimmingly well.
The Tek 475 here decided to go traceless. I'd been sorely tempted by the low end Rigol for the last few years, but the Siglent at 200MHz with four channels felt like a more compelling addition. Don't need the 200MHz, don't actually need any of the other features either, don't even use a scope often anymore, but it's always fun to hack, and being able to log in to your devices to poke around is fun. Aside from not immediately figuring out that the unit came with DHCP disabled, all of that went very well and I had the eevblog-modified OS loaded and running without much ado.
However, when I got to the github projects above, my code development environment is much closer to working on a VT100 than it is a PC with an IDE. There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff. I didn't have Visual Studio loaded anywhere, and how to use it wasn't entirely clear to me, as my development environment is usually just vi, cc, make, and the rest of the UNIX stack. I figure if someone who's written tons of C had issues figuring this out, maybe non-developers or other old UNIX farts might have trouble too. If this turns out to be helpful to someone, here's a few notes, hard won through about eight hours of persistence and one trashed VM, hopefully a clue or two for anyone similarly clueless-ish about Visual Studio:
Visual Studio is huge. It almost overflowed my 50GB Windows lab VM's. I installed Visual Studio Community 2017 with the Visual Studio Installer downloaded from Microsoft. Under "Workloads" I had it install .NET Desktop Development, Desktop development with C++, and .NET Core cross platform development. I also selected "NuGet targets and build tasks" under "Installation details" the second time around, because something went tragically wrong with my first VM, and NuGet wasn't working correctly. Some of these selections are needlessly sloppy, I'm sure.
Once in Visual Studio 2017, I went to "File -> Open -> Open from Source Control", plugged in the FindKeys github URL, and it picked it up, bringing up a "Solution Explorer" window. After spending some time looking around and wondering where a "build" button or key was, I opened "Program.cs" in the editor to look at it and suddenly "Build" became available in the menu bar. Yay for obtuseness. It built the FindKeys.dll just fine, depositing it in C:\Users\username\source\repos\FindKeys\bin\Debug\netcoreapp2.1, so I just moved the memory dump bin file to that directory and ran it there, and it worked.
At this point, things went off the rails unrecoverably on the first VM. I tried to do the same process for TryKeys and it went seriously sideways. It needed a package called "LiteGuard" and I couldn't figure out how to install it. For whatever reason, NuGet was broken and unusable in the first VM. Being unfamiliar with the tool and thinking myself just too dumb for modern tools, I wasted several hours stuck trying to remediate that. Install-Package simply wasn't there or was broken or something. So I switched to a different lab VM, installed Visual Studio again, and went to do TryKeys again.
This bombed as the build still needed "LiteGuard". Trying to install that, it refused. It really wanted a project name. So I knew I wasn't really doing this correctly, but I didn't really care, so I exited out of VS to dump the mess, launched VS again, did "New -> Project from Existing Code", specified "Visual C#", pointed the dir at C:\Users\username\source\repos\TryKeys, and named it "TryKeys". Then I was finally able to successfully go to "Tools -> NuGet Package Manager -> Package Manager Console" and entered
PM> Install-Package LiteGuard -Project TryKeys
It still presented an error but it seemed to complete, so I again opened Program.cs, ran "Build", and it built, and ran great.
Y'all are welcome to explain in excruciating detail how I made this more complicated than needed or went about it entirely the wrong way. :-) I just felt it would be a shame if the effort put into these two fine Siglent tools was not accessible to someone without any coding experience. Thanks for the tools.
-
My process was get to the point where you kill the application, step 12, then fire up the process again, step 11, then using "PS -A" to find its new PID, and "kill -ABRT <PID>" It was my third loop of starting and killing it that got me a core dump.
-
There was a little irony that a user with a handle of VT100 posted a bunch of Microsoft-dependent stuff.
I wanted to learn .netcore and this was my first .net core application.
Visual Studio is huge. It almost overflowed my 50GB Windows lab VM's.
if someone makes a pre-compiled version available then you could get away with installing the .dot core runtime, which is significantly smaller, and would run on linux. .dotcore apps will compile and run on linux, allegedly.
It needed a package called "LiteGuard" and I couldn't figure out how to install it.
I have absolutely no idea what LiteGuard is. It wasn't a nuget package I used, but it does show up in project.assets.json now that I look. Perhaps it was a dependency of another nuget package I used in TryKeys which I didn't use in FindKeys -- e.g. the telnet library, for instance.
It was my third loop of starting and killing it that got me a core dump.
Strange thing is, I get a core dump each and every time, on the first try. I have no explanation as to why others have problems getting a core dump. Maybe I'm lucky.
-
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.
I did this with a stock standard unhacked new SDS1104X-E software version 8.1.6.1.26. Some notes:
Insert a USB thumb drive formatted appropriately for the SDS1104X-E
Using the SCPI control of the web interface, put the following command (or similar depending on what filename you want):
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
Wait a minute or more for it to complete - it needs to copy a 256 megabyte file
cleanly shutdown the SDS1104X-E (with the power button on the front)
You can now move the USB thumb drive to a pc. There should be a memdump.bin file on there. You can follow other people already mentioned processes to extract keys from this. I used vt100's instructions from step 20 onwards here: https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477 (https://www.eevblog.com/forum/testgear/unlocking-siglent-sds1104x-e-step-by-step/msg1877477/#msg1877477) Thanks vt100. I used the free "Hex Fiend" on macos as the Hex editor but I expect any would do.
Thanks to Rerouter for letting me know about the "SHELLCMD" SCPI command https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2041069/#msg2041069).
Also thanks to everyone who provided procedures for extracting keys.
-
I should point out the memdump is slightly different to the core dump.
the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.
The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.
-
I should point out the memdump is slightly different to the core dump.
the core dump has the licenses loaded in somehow, (havent actually looked into it). while the memdump is just the application file.
so you cannot unlock at present with just the system file.
The other issue is if you tried to get a core dump, well the web interface is run by the system app, so once it crashes, the interface locks up.
With the file produced by the "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" command, I believe I found all the keys. I think /dev/mem includes all memory - not just the memory from an application core dump. I only tested the bandwidth key as I don't have a need for the other ones. Bandwidth key worked for me.
-
Coredump provides a continuous mem image.
/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!
They are not the same and that's why some manipulations need to be done in /dev/mem.
BUT, both ways provide the needed licenses.
-
well if you wanted to play it that way, there are very few strings that are only capitalized alphanumeric, at least 16 characters long and contain no symbols, so on that basis you may be able to filter down memory images to only relevant ASCII formatted strings,
-
/dev/mem provides a fragmented memory image (in blocks of 4kB or something), with "random" order. For me it's random, if anyone can explain the logic it would be GREAT!
I'm no kernel expert, but at least on "bigger CPUs" most kernels these days do some kind of memory space randomization (which is probably "corrected" in the page tables inside CPU) for security reasons. Malware have harder time looking for data or injecting code, since the desired locations are randomly somewhere... (That description is probably too simple, slightly misunderstood by me, etc. but... might explain the random order in the /dev/mem. Something like this: https://en.wikipedia.org/wiki/Address_space_layout_randomization)
-
I spent quite a bit of time on this, with tv84's guidance, so let me state the following.
cat /dev/mem will give you a memory dump of the scope's entire memory. That memory is managed by the operating system kernel, and is broken up into 4k chunks, aka "pages". The kernel memory manager allots those pages to each process, using a process only someone intimately family with the kernel would be able to explain. Suffice to say, for our purposes, we can assume that any given process running on the scope will be assigned memory pages in a completely random order, even though to the process itself they may appear to be contiguous, they really are not, as the kernel is actually managing the allotment of and access to memory.
(if someone intimately family with the kernel memory management process can tell me where in a memory dump the paging table is located, and how to extract information from it in order to "reorganize" the memory pages for a given process into a single contiguous chunk, feel free to email me, I always enjoy a good intellectual exercise in programming.)
In order to retrieve your license keys from a memory dump, you need to utilize the process (either automatically or manually) captured in the "FindKeys" and "TryKeys" .net Core applications posted on GitHub. The reason being the memory keys will more than likely be "fragmented" into multiple 4k pages of memory. You may have 1/2 of a key at the end of one 4k memory page, and the remainder of the key at the start of another 4k memory page (I personally observe this w/ my own scope and was taking screen shots of a winhex display of the memory dump when I was going back and forth with tv84). And, those key fragments may be located megabytes apart in the file, with the 2nd half actually being 'first' in the file and the 1st half of the key being towards the end of the file.
So what FindKeys does is it examines the memory dump and identifies strings which may possibly be part of a license key. When it identifies a partial candidate, it will combine that partial candidate with other partial candidates to create one or more candidates to try (e.g. given the program finds one 8-character string A and another 8 character string B, it will create two candidates, AB and BA, to try. Trykeys takes the file of potential keys and tries to implement them.
A core dump, however, is a contiguous snapshot of a processes' memory. When the core dump is created, the memory pages assigned to the scope process are all arranged in the correct order by the kernel. The process of creating a core dump is handled at the OS level thus the OS can organize the memory pages into the correct order as they are written to a core dump file. Thus with a core dump, the keys will be contiguous as they are represented in their actual underlying class structures and are easily discoverable using the 'shortcut' of using a hex editor to search for your serial # or scope Id.
Whenever possible, I encourage people to use the core dump method, it is cleaner and faster. However, understandably some folks have a problem getting a core dump (I cannot replicate this issue on my scope, each and every time I follow the posted 'process' in the previous post, I get a core dump, so I have no idea what makes my scope different from someone else's). For those who cannot get a core dump, then the memory dump/findkeys/trykeys route is their only option to recover the license keys they previously paid for and accidentally lost the paperwork on.
-
SIGABRT and SIGSEGV should produce a core dump, but Linux has the ability to prevent that via compile time options as well as other means I've not been able to sort out. There is a core_dump_filter in /proc/<pid>, but I don't know any of the details. I use Solaris like God intended whenever possible.
My use of Linux is like my use of Windows, it is only done under coercion.
-
My method was slightly different:
1. dump memory to fat32 formatted USB through web interface on 1104x-e - wait 1minute after performing this, then shut down the scope before doing anything else.
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
2. Compile find keys using Visual studio - https://github.com/Siglent/FindKeys
3. Run find keys on PC on the the memory dump - note you need to edit the config json.
4. Flash custom firmware with known telnet/root password ( https://www45.zippyshare.com/v/SEUJEWE1/file.html) - Follow instructions in pdf in the file. (note flash drive needs to be either 8gb or 32gb) - I tried to find a way to not do this, but it's the easiest way of getting root access.
5. Set up network on SDS1104x-e
6. Compile trykeys ( https://github.com/Siglent/TryKeys )
7. Use trykeys on a PC on the same network using the key file from findkeys, wait for reboot on 1104 - save the keys that are found - Note you need to edit the config json within findkeys
8. Update firmware to latest firmware from siglent
-
I think I found an easier way to get the mem dump. I did this without needing to set a known root password.
...
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
that worked for me as well (options and BW), tested with unhacked new SDS1204X-E software version 8.1.6.1.26
-
Now we are talking. I'd much rather avoid tinkering around with modded firmware. I'll give this method a try.
-
My SDS1104X-E arrived today with 7.1.6.1.25R2 (stock) on it.
After some fun (creating a wireless client bridge to get wired LAN handy, and using Ubuntu in a VM to format the flash drive for the Unixy flash boots) I was able to log in, run the commands, and rebooted.
At that point my model number went from SDS1104X-E to SDS1204X-E. :-+
(Note to others: For the "OSV" updates, if you try to format the USB from Windows (certainly 10, maybe earlier ones) you'll likely have an annoying time of it. Bite the bullet and format and extract from Linux.) The only clue you'll have that it's working is it takes a bit longer to boot up, and the telnet password ends up working. If you're already on 7.1.6.1.25R2 like I was I'm almost certain the stock "SDS1004X-E_OSV1_EN-1.zip" step is not necessary, just the modified one.
I then grabbed the "SDS1004X-E_6.1.26_EN.zip" update and installed that. The model number is still 1204, and the firmware is now 7.1.6.1.26. I can still log in via telnet so all this suggests the unlock and mod worked.
One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?
Edit: One other bit of advice - if using a VM to format disks and such and you have problems with new DHCP addresses (as I just did with the SDG2042X I'm fiddling with now) be sure to shut down that VM to rule it out - in my case it made it impossible to route to the new device under test!
-
One question though... I see mention of "8.1.6.1.26" in the thread here: is that some entirely different firmware, a typo, or what? Am I (at the moment) on the latest and greatest with 7.1.6.1.26?
i made dump of my dso (8.1.6.1.26), haven't found any binary differences to OS update file (7.1.x.xx) nor to latest available firmware.
Sure there might be still something different in mtd7 or mtd8, but due to lack of dump from 7.1 i can't compare, but probably there is no diff a well.
-
8. And 7. Are the exact same. Just a rename.
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
-
All the fun new things that turn up from a little digging :)
Great work ewaller
On the not so stock side, Getting the hang of patching out most of the typos in the scope software,
Main pain is the HISTORY_LIST query, they pointed command and query to the same string so having to shuffle stuff around to fit a new string.
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
Do you think it is then possible to change the default root password?
-
Do you think it is then possible to change the default root password?
Not from that shell. The /etc/shadow file that contains the password hash is in a cramfs (Cram File System https://en.wikipedia.org/wiki/Cramfs ) which is inherently read only. The solution that has been used to date involves updating the system with a rebuilt cramfs with a /etc/shadow file that has the new password hash in it; then that file system -- in it entirety -- is uploaded to the scope at boot time.
Part of my motivation was was to find a way to root the system when running stock firmware; and the nice part is that it requires no password. With this, I think it will be possible to run code from a USB drive that has been cross compiled for ARM. There may be issues find finding dynamically linked libraries, and the USB drives may be mounted with the noexec flag (meaning the OS will refuse to run code from the device). I forgot to check that last night in my exploration :) I'll look tonight.
-
I'm guessing the SCPI SHELLCMD functionality will either be PDSH'd, or removed completely, in an upcoming firmware release ;D
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
That is awesome - works perfectly. Thank you.
-
I should also point out, most of the recent methods listed here should work just fine for a number of BK precision scopes. :)
-
I found a much easier way to root the scope.
After mounting the cramfs from the OS update on my Arch Linux box (on a loop device), I note that the telnet server is provided by busybox. And, as the scope's web interface allows us to run shell commands as root, I figured I would spin up a telnet server where the login application is a humble shell rather than that pesky password program.
tl;dr:
Go to the SCPI web interface and send:
SHELLCMD telnetd -l/bin/sh -p9999
Then, use your favorite Telnet client to attach to port 9999. You are in -- no password challenge.
Edit: Did I note that one does this with stock firmware?
Hi, everyone. I have this scope on order and it should be here in a few days.
I very much appreciate the graciousness, expertise and effort that it took each and every participant to develop this thread. Thank you!
I am considering this upgrade, but its means is completely outside my knowledge base. I see that the steps are summarized, in the first post, but I have questions about how this post relates to the first.
- Is Ewaller's method the complete protocol, or only a portion of it?
- If it is complete in itself, Ewaller, please write a start to finish tutorial using it, for us noobs. Post #68 is still above my pay grade.
- If it is only a portion and it being easier, has it been incorporated into Post #1? If not, please do so.
Thank you for your help and kindness. I am sure I will have lots more questions.
PS: My current OS is Windows 8.1. I expect to buy a new laptop, soon. It will, likely, have Windows 10/Home.
-
His method gets you root access to do just about anything you want on the scope without changing from stock,
Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,
If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.
The telnet access is more if you want to fiddle with the scope
-
His method gets you root access to do just about anything you want on the scope without changing from stock,
Earlier there was the memdump SCPI command that lets you dump out the memory, then its just a case of searching with a hex editor for the strings,
If someone doesn't write it up in the next day or two, I can. but the earlier memdump method is all you need to actually find the option codes.
The telnet access is more if you want to fiddle with the scope
Thank you, Rerouter.
I understand a little of this, but....
Is it that Post #1 gets you the 200MHz and nothing else? Or the options, too?
Is it that with the Ewaller method you could access the entire firmware and, given that you wrote code, you could modify it?
I just want the greater bandwidth and to use the pay-to-play options (with non-Siglent devices, like my own function generator, WiFi dongle, etc.)
I appreciate your help.
-
the memdump method will get you a file that has all the option and bandwidth codes, just takes some digging with a hex editor.
Working with your own wifi dongle is harder to say. at this point it only has a driver for the MT7601 dongle, If your familiar enough with linux drivers you can probably try and make another work via patching, but doubtful out of the box.
With your own signal generator is equally a little difficult, If you want to use the bode plot mode then you need to use similar to an earlier thread where a Python application on another PC pretended to be a networked signal gen and translated the commands, There may be a way to patch in other devices, but I have not gone digging deep enough, I defiantly know where all the bode plot strings are located, but not sure if its just a straight patch or if it needs to be broken into elsewhere,
-
Thanks, Rerouter. Much appreciated.
-
If you have used up all of your trial runs for MSO, WIFI or AWG; and you have not purchased your licence keys, you may be able to reset the number of trial runs by sending the following through the web interface SCPI mechanism (here I set the number to 99)
SHELLCMD echo -n 99 > /usr/bin/siglent/usr/usr/options_awg_times.txt
Replace the awg with wifi or mso as appropriate. change 99 to the number of demo runs you desire.
These files have exactly two characters in them with no n/l or l/f, hence the -n option on echo. 99 may, or may not be a maxima -- again, these files have exactly two characters in them.
Note, I cannot actually test this through the GUI any more as my options are all permanent, but I am fairly certain this will work for those of you who need a couple more demo runs to decide. I can see that the contents of these files do change the way I expect. Please let me know.
-
Hi,
I do not know if it is OK to ask here of if I should start a new thread...
as I'm taking into account to buy a second hand SD1104X-E I'd like to know if any of you is aware of any hardware revision during the last year.
thanks
-
yep, 04 as of the last month, no significant changes to functionality has been observed.
03 I can only speak of back to mid july, when my unit was made. it appears the FPGA code was compiled for 03 on the 7th of march 2018, so 02 likely was from before this date.
-
Hello, i applied this Unlock (ProMode) to my 1104x-e, works great (havent tested the extra features)
But i noticed a bug(?)
I did some decoding a month ago, then i turned it off, unplugged the scope and put it on a shelf.
A month later i plugged it back in, booted it up. it was dead slow. time between action and reaction was like a minute. totally locked up
even after reboot.
Only fix was to hit the default button.
Did anyone notice this without the hack applied? Could it be the Production Mode im in?
-
I followed plurns and vt100's posts as regards dumping memory to a usb and then looking through the dump in a hex editor.
Worked perfectly to recover all the codes.
Thanks a million.
-
I received my scope last night, and managed to get everything sorted nicely, however there were a few things that weren't quite as some other people seem to have found them, it was already running the latest firmware (6.1.26), not sure if that's the reason.
1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)
2. The core dump didn't contain the required information, it was only about 200meg, so quite a bit smaller than other examples shown here (and smaller than the 250meg memory dump.)
3. Restarting the sds1000b process didn't work properly, a few errors and the scope was unusable, so I suspect this is the reason it didn't contain the right data.
So I resorted to a much simpler way as described by some other posters...
1. Use "SHELLCMD telnetd -l/bin/sh -p9999" to start an unauthenticated telnet server.
2. Connect to the scope using "telnet <ipaddress> 9999"
3. Insert a USB stick
4. Dump memory to the stick using "cat /dev/mem > /usr/bin/siglent/usr/mass_storage0/U-disk/memdump"
5. Pull the stick (I ran "sync" first, but I'm a legacy unix guy, need to see if that's really necessary), otherwise cleanly unmounting would be better.
5. Use a hex editor to find the keys as per post 39, from about step 20 onwards ... which worked perfectly, no obvious issues with the page ordering making it difficult to find things.)
It took about 10 mins start to finish once I'd decided to go the /dev/mem route.
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.
What a nice scope ... this was an upgrade for me from a DS1052E, so it's fantastic! Thanks to all for providing this info!
-
1. I didn't need to use a special copy of bash to get a core dump, the stock bash worked exactly the same as the special one (however see 2.)
a core dump is substantially smaller than an entire memory dump. With the core dump you're only going to get the memory associated with the running task, compared the memdump, where you'll get all the scope's memory.
Its curious you didn't find the keys in the core dump.... the only thing I can think of, is, perhaps, you took the core dump prior to the sds1000b process creating the keys within its memory pages (there is logic in the scope app to generate the keys using the scopeid and serial # to check against the licensed options, they are not hard-coded in the scope app) so if you took a core dump prior to that routine executing (and at what point it runs, who knows). I'd be interested in taking a look at the core dump if you'd be willing to share it.
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.
These methods will continue to work until Siglent pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.
-
You could make it even simpler by using "SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin" as per post 54, but then you don't really know when it's done, it seemed easier having a command line ... and it's always nice to have a look around.
These methods will continue to work until Siglent pdsh's the SCPI SHELLCMD, or disables telnet access completely by removing the telnet binary from cramfs, in an upcoming firmware revision.
time(1) will tell you when the cat completes.
-
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
-
Hi, does the hack actually work? I mean, has anyone verifyied wether the hacked scope actually works at 200Mhz bw or all it does is changing the system info page?
You can see here how the 100 MHz roll off is much improved after improving to the 200 MHz model:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1613374/#msg1613374)
There's some further supporting info in subsequent posts.
Also have a hunt through rf-loop's posts, he's switched his SDS1104X-E back and forth.
I've never hacked one but the info here is entirely convincing that it is a valid upgrade. ;)
-
I wanted to thank all the contributors for all the various unlocking instructions, especially VT100 whose instructions I was following per post #39 for the keys to my options upgrade. It's nice to have a fully upgraded scope, at just the right price. ;D
However, I have a question that I hope someone can clear up:
I first updated the bandwidth via the rooted OS & bandwidth.txt -> bandwidth.bak method, as that felt the most comfortable to me at the time. With that success, I started to feel more confident (or cocky, I suppose, lol) and thought I would then use the mem dump method to find the keys for the options, which I then also successfully updated.
So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".
In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)
I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M.
I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file? If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be?
I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.
I've attached a shot of the relevant part of the mem dump for the bandwidth keys.
Thanks again! :-+
-
Run the command. When a valid bandwith or option code is entered. The scope saves a bandwidth.txt or option.txt. so if your not seeing one yet it may change with later updates.
This would also explain why your not seeing the current code. It reads it from that txt file.
-
Brilliant! Thanks, Rerouter.
I ran the MCBD command with the suggested 200M key (from my dump file as attached earlier), and then went into the scope via telnet and checked for the bandwidth.txt file. It was there, as you called it, along with the older bandwidth.bak file from my original update.
I've attached a shot of the content of each file, the .txt now containing the 200M key, and the .bak containing the original 100M key.
I've also attached an updated memory dump excerpt showing the now repeated 200M key.
All good now! Thanks for the prompt response. :-+
Nick
-
So, this means that I did not use the "keys" method to update the bandwidth. Also, the bandwidth keys in my mem dump did not show a "duplicate" key indicating that the 200M license was active, but there is a "200M" reference nearby, and the PRBD? command shows "200M".
As earlier posts have indicated modifying the bandwidth.txt file puts the scope in "PRO MODE" which basically bypasses the licensing process so you have a scope with all options and full bandwidth. The problem with this approach is the next firmware update could easily change this by placing the scope into complete lockdown with no options and minimal bandwidth. Once you have your license keys, you never need to worry about losing access to bandwidth or options.
In addition, in my mem dump, there were only four 16 char bandwidth-license strings, and not five as VT100 suggested would be there, (i.e. indicating that one of them should be duplicated to represent the license key that the scope was operating under.) (Image attached)
This is expected. One of those 5, the "duplicate", is read from your filesystem and compared against the other 4 generated keys to determine what bandwidth your scope has. By "hacking" the config file you eliminated the "5th" key and now only see the 4 that the scope program generates for comparison. This is the 'expected' behavior given you changed the bandwidth.txt file.
I'm tempted to run the MCBD <license key> key command for what appears to be the 200M key (the second one, I presume, per VT100), as a belt-and-suspenders insurance that a future update won't clobber the "bandwidth.txt -> bandwidth.bak method" of bandwidth upgrade and return my scope back to 100M.
Even if you enter the wrong one, you can always enter another one to change it again. the MCBD command is not a one-shot deal.
I guess I'm asking if anyone has an understanding or feel for the difference between a 200M license key install vs simply removing/renaming the bandwidth file? If I execute MCBD on what I've labelled the "200M key", will that duplicate the key (when I dump it again?) as VT100 suggests it should be?
See paragraph #1 above.
I'm a bit confused that neither the 100M or the 200M key is showing as a duplicate, as I would have thought that, if VT100 is correct, at least one of them would be authorizing at least one bandwidth option.
See paragraph #2 above. Your scope isn't licensed w/ any bandwidth key, it's in PRO MODE. Hence you only have 4 keys in your mem dump, not 5.
-
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?
More importantly, someone mentioned a slight hardware difference in the analog front end of 1104x-e and 1204x-e. So, even if I can make my 1104 'think' he is a 1204, how can I make up for the hardware difference?
-
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?
It is not an option one can purchase. The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as. It is supposed to be immutable. What is not known is whether there are any inherent differences in the hardware platforms? For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope? I don't think so. But, if one changes the configuration, and the scope well enough works at 200 MHz, why not? Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.
-
I'm a little bit confused. I thought that 200Mhz bandwidth was not an 'option' on 1104x-e. So what the 200Mhz bw key is about?
It is not an option one can purchase. The scopes use the same platform -- apparently -- and their behavior is defined by a configuration that corresponds with the model it is sold as. It is supposed to be immutable. What is not known is whether there are any inherent differences in the hardware platforms? For example, would it be unreasonable to brand a scope that does not quite meet all the requirements for a 200 MHz scope as a 100 MHz scope? I don't think so. But, if one changes the configuration, and the scope well enough works at 200 MHz, why not? Of course, I would assert that the calibration is not valid when the scope is in that mode, it may not be possible to get the scope calibrated in that mode, and (regardless) the cost of calibrating this scope (whether it is an 1104 or a 1204) is going to approximate the cost of a new scope anyway.
So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
-
So basically you are confirming my fears... we can hack it to 200Mhz but we can't be sure the scope is working properly in that mode and, worst of all, calibration in the hacked scope may not be valid anymore! So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
No arguments from me there. I did opt for the 1204x-e. All I can say is that I cannot back my assertion that they may not be the exact same platform -- they could be. But, I will stand behind my assertion that the calibration is not valid for a 1104x-e at 200 MHz
-
So what's the point in hacking this scope? Too much at risk, only to spare a couple hundred bucks.
How can I word this correctly... umm... well, let's just say if you *need* 200mhz (with the associated calibrated accuracy) then spend the couple extra hundred, since (perhaps) your livelihood depends on it.
On the gripping hand, if you're just messing around with the scope in your shack, and that calibrated accuracy is not that important... why not?
Assuming of course the hardware platforms are different... which I doubt. I'm willing to wager the scopes are identical, and all that changes is the sticker on the front of the case and the bandwidth license pre-installed.
Much akin to how Windows now has several versions, all of which are on the DVD, but the features available to the user depends on the product key used to activate the product.
-
Thanks for the clarifications, I've now got a much better understanding of how the key mechanism works. Trying to assimilate that combined knowledge from all the various thread posts was a challenge, and perhaps my questions & your answers have helped others as confused as I.
One more question on the same topic: I am also curious as to how the "option keys" work for the Wifi, MSO and AWG modules. In the normal course of events, if I were to buy an AWG for example, how would the key needed to activate my scope to use the AWG be communicated to me (assuming that the option key itself is unique to my scope)? Does the AWG itself communicate/handshake with the scope to authorize its use? Would there be a piece of paper with the AWG that contains a code that needs to be entered somehow?
And why the need for an option key at all? Is it just a function of wanting to prevent knock-off Wifi, MSO, and AWG modules from working with the scope? If you have to pay for the module anyway, I can't see any other reason for needing an option key mechanism in the first place.
Thanks again -
-
The SAG1021 AWG can be thought as 2 units if you like, one for Bode plot usage where NO licensing is required and as a reasonably well featured AWG controlled from within the scope UI. For that functionality you do need the licensing.
Edit to add; Only once the trial licenses have expired is any option licensing required.
-
I question the option vodes as anything other than a money grab. But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.
You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.
The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
-
I question the option codes as anything other than a money grab.
Er well yes but only for 3 options whereas other 'money grabbing' brands like Tek, KS, R&S, LeCroy, Rigol etc will want to charge you for more. Decode is commonly an option for most brands while Siglent provide it for free.
Your point is ? :-//
But the scope is the only thing that needs the code entered. While I have yet to get it to work. The AWG option should also respond via SCPI over usb. But i have yet to successfully test that.
SAG1021 arbitrary use is intended to be via the EasyWave SW where you will use SCPI commands.
This is all mentioned in the X-E datasheet.
You get option codes on printed off sheets of paper if you buy them with the scope. Possibly similar via email if after the purchase.
Maybe, maybe not.
If I have them at sale time I'll install them and pack a sheet/s of paper with them printed on too.
Otherwise it's a pdf in an later email with an option authorization code with which you go onto Siglents option generation website and enter it along with model type and SN#. The 'real' option code is then generated automatically and you have the option to get it on a pdf with installation instructions. This is what we normally add to the box prior to shipment.
The AWG interface is limited via the scope UI. It leaves out any way to configure the SweepWave, BurstWave, ModulateWave, and ArbWave. Not to mention there is everything already in place for the scope to capture a waveform and to play it back under any of these modes. But I have not yet found an easy way to do that.
Good point, maybe 'play' a captured waveform can be added into future FW. :-+
-
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
-
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
Of course.
After then it is SDS1204X-E (except front panel model sticker) and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)
-
If I hack the scope to 200mhz bw will the self calibration procedure still work properly?
Of course.
After then it is SDS1204X-E (except front panel model sticker) and works as SDS1204X-E including everything - (if it is properly modified).
Only difference is front panel sticker and probes included in carton. But even these probes are not bad for 200MHz. (you can find probe test in this forum)
Someone before asserted that factory calibration after the hack was not valid anymore.
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
-
Someone before asserted that factory calibration after the hack was not valid anymore.
Then, go ask that "someone".
It was an opinion page 4 of this thread. If you think it's not correct please state it. I'm just trying to build my opinion on this topic.
Any hacked equipment ceases to have official traceable calibration, this is the price of hacking equipment.
If you must have traceable equipment then you are constrained to buying the necessary model and options.
I must not have traceable equipment but I must have accurate equipment. So, if hacking the scope makes me lose accuracy I'm not gonna hack it. So: am I losing accuracy with the hack?
'Proven' -3dB BW of hacked SDS1104X-E is ~230 MHz and and amplitude spec is +3% like all DSO's, is that good enough ?
-
So, in the 1104x-e the 100Mhz bandwidth is obtained by limiting the full 200Mhz bandwidth via a software low pass filter? No hardware?
-
The 100Mhz bandwidth limit is achieved by FIR filter coefficients (https://en.wikipedia.org/wiki/Finite_impulse_response) - these coefficients are different for the different bandwidths. The FIR filter is implemented in the FPGA, and applied to the signal coming from the ADC.
Short answer - it is software, but not software running on the ARM CPU.
The 20Mhz selectable bandwith limit takes place in the analog front-end, and so is implemented in hardware.
--Ian.
-
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive. Besides, the hack is really a piece of cake.
-
Got it to work, many thanks for the instructions. Note that if you go with the Visual Studio solutions, in the TryKeys you have to change the hardcoded 23 port to 9999 if you want to use the telnet daemon started via SCPI (SHELLCMD telnetd -l/bin/sh -p9999). Also comment out the TelnetClient.login section as it is not needed (and even fails) for this telnet access. Changing the port number from 23 to 9999 in the .json is not enough unfortunately.
This scope is one of the best deals around, got it for $125 off MSRP from Amazon Warehouse Deals and now unlocked 200MHz and the 3 other items :) :)
Also, Newegg has the TL-WN725N wifi USB dongle for only $7 using code EMCTUVA36 for $3 off. Just bought one for my new scope. This same module is offered by Siglent for a mere $49 at https://store.siglentamerica.com/product/sds1104x-e-100-mhz/ Is this scope compatible with many wifi adapters or just this one?
-
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),
Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.
\bin\siglent\drivers\mt7601u.ko
-
Very interesting. I really like this scope and, with this hack, you are getting a tremendous bang for your buck (4 channels, 200Mhz, 1Gsa/s, double ADC for 500$). This is double the scope w.r.t. a Rigol 1054z for only 50% more in price. Big A Brand scopes with similar features are at least three/four times as expensive. Besides, the hack is really a piece of cake.
If compare Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation, Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.
-
If compare Rigol 1kZ with Siglent 1104/1204X-E they give really lot of more performance and features than just more bandwidth and samplerate.
What big A brand scope have one scope with waveform history buffer, full memory measurements with full sample resolution, fast segmented memory with up to over 100M memory, true full resolution 500uV/div, up to 32000 bytes single shot I2C decode (simultaneously 2 independent separate I2C bus), or 1000bytes/channel single shot UART decode (simultaneously 2 separate independent UART RxTx bus) etc... and all this online and offline including history buffer.
1Mpoints FFT, 3 channels 501point BodePlot (need external what ever Siglent SDG) even with 500Hz span (1Hz step) for narrow filters, semi fast XY (up to 60kwfm/s (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg1801388/#msg1801388)) including intensity gradation, XY plot history buffer and YT measurements in XY mode. Even simplest thing, Sinc interpolation, Rigol 1kZ box can not do right way. In siglent there is always available true samples and interpolation is fully post processed and user have full freedom to select right display mode/interpolation afterwards (example when looking stopped scope including wfm history buffer.) This is also important in real tool when user need detect if displayed wfm include well known Sinc interpolation "problems" when signal have fast changes related to current sample interval.
So, what we compare to what... perhaps lemons and shoes.
No need to get upset. I'm with you. I was simply saying that these scopes are a tremendous value and that A Brand scopes with similar (similar!) features cost many times more. The other big contender which surpasses these scopes spec-wise is the new Rigol MSO5000, but for double the price. So 1000x-e scopes are still the best value on the market IMHO.
-
The scope only has the driver file for that exact wifi dongle. however the drivers are inside a directory that you can write files to, (needs to remount the directory),
Your free to try loading other drivers for other dongles, But i cannot say if it will work, as Its unclear to me exactly how the system app is hooking into it at this point.
\bin\siglent\drivers\mt7601u.ko
I used a TPLink wifi dongle on mine and it worked fine.
-
I am going to try installing a few other wifi dongles and will provide any success stories in an additional thread. For me, I would like an AC dongle so I dont have to run legacy Wireless at home - just for the scope... I doubt the speed difference would help with the web server.
-
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.
Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
-
The $7 wifi adapter arrived from Newegg yesterday and it is the TP-Link TL-WN725N v3. It connected it to my SDS1104X-E & gets a valid IP via DHCP. I can't seem to access the scope web interface though. Via wired Ethernet it works fine. Running latest firmware with wifi feature unlocked.
Does the driver support all three TP-Link TL-WN725N versions? It seems so given that DHCP worked and the message pops up 'WLAN connected' but I cannot access the web interface or even ping the scope. Again, wired all working. I tried both USB ports, front and back.
Have a study here:
https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612 (https://www.eevblog.com/forum/testgear/siglent-sds1204x-e-released-for-domestic-markets-in-china/msg2038612/#msg2038612)
-
I just got this scope and completed the *upgrade*. My experience was a mashup of other users, so I figured I would comment on what didn't work and what I ended up doing to achieve success.
What didn't work:
I followed the core dump procedure. I did the following:
- Run the SCPI command SHELLCMD telnetd -l/bin/sh -p9999
- Connect to the scope and follow the remaining core dump procedure on post #39
There are a few typos, but I was able to execute the procedures. I ran through it several times and was never able to generate a core dump on the first try. I then tried simply restarting SDS1000b.app without rebooting the scope and killing again (not what the above procedure suggested). A few times I was able to get the core dump file to generate, but that lead to another problem. As another user stated, the scope buttons remained unusable, even after restarting the app. The only way to recover was a power cycle. This would wipe out the core file that was created. In addition to the buttons not working, the scope would not detect the USB drive anymore to copy the core dump too. The Linux OS would detect the drive, but it would not mount. I had to manually create a temp directory in /usr/bin/siglent/usr/mass-storage/ and manually mount /dev/sda1 to it to copy the core dump. I did this several times with several core dumps. I got a ~207MB file each time, but most of it was empty and searching for the string "SDS1000X-E" always yeilded "no match". So, this method did not work for me. Perhaps someone can explain why?
What did work:
Using following command to get a mem dump on the USB drive worked perfectly: post#54
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
The flash drive I was using had an LED indicator that flashed when preforming a read/write and slowly dimmed when idle making it easy to tell when the file was done writing, which was nice. I created several mem dumps to compare. Each one was different, which was expected, but I noticed only one contained my BW keys in a contiguous block that was human readable. None of them contained the options keys in a contiguous block, thus I needed to use some tools. I ended up trying the FindKeys and Trykeys tools mentioned in post #38. make sure you have the current version of Visual Studios (I ran VS2017 15.9) and install .NET Core 2.1 as that is what the tools run on.
Define the proper parameters in the FindKeys .json file as instructed in the repo readme and run the FindKeys tool against your mem dump file. It will generate a txt file that has all the possible combinations of possible keys through the fragmentation of the mem file.
Define the proper parameters in the TryKeys .json file as instructed in the repo readme. I noticed some things about the TryKeys program that should be addressed before running it.- It is setup to use authentication for the Telnet connection. This is not needed if using the below method to create an unauthenticated Telnet session. If the code is ran with the authentication step, it will hang. Simply comment out the IF statement if(!client.login() ...) to skip this.
- I noticed that the code did not handle the response of the Telnet command properly WRT the bandwidth file. When parsing out parts of the response, it didnt seem to take into account that there was more information than expected. For example, if you selected "true" in the .json file to update the bandwidth.txt file, it reads the bandwidth file to see what the current key is. The response contained the entire cat command and PWD, but the code only grabbed the first 16 characters assuming it was the currently activated key string, but it was not. I selected "false" in the .json file so that it did not try to update the bandwidth and bypassed this whole mechanism. Perhaps it should use the .Contains() method as it does elsewhere in the code? I did the BW update in a later step below.
- The telnet port is hard coded to check that 23 is used, but the .json file allows you to set a port number. This is odd as it will fail the comparison if anything other than 23 is used, so why make it a user definable option in the .json file??? :-// I changed the code to allow any port to be used (9999 in my case).
- The code will try to send each key generated from the FindKeys txt file for each option. When the scope generates the corresponding options file, the program reports success for that key and moves on to the next option. The program then reports what key worked for each option. I ran this in single step because the program closes immediately after it finishes leaving no chance to write down the information (I also did this to make sure I understood what it was doing in each step). A pause should be added at the end if not running in single step if you want to document the keys. Or, you could always cat out the license file it generates. They contain the valid keys too.
The root telnet access method is needed for the TryKeys program to run:
Run the SCPI command SHELLCMD telnetd -l/bin/sh -p9999
Then run the Trykeys based on the above config/recommendations.
If you didnt use the Trykeys to update the bandwidth (like me), run the SCPI command MCBD (license key)
where (license key) is the key for the bandwidth you want, to update it manually. Then reboot and check with the PRBD?
command to verify.
All in all, I think the method that worked for me is the simplest as it requires no software modifications (I was running 7.1.6.1.25R2 out of the box). It is also the most reliable as I was able to get the mem dump file every time I ran the command and all the files ended up producing the valid keys.
Hope my experience makes this process easier for others! I am really enjoying me new scope!
-
Hi All - Instructions are very good, thank you! After reading the entire 5 pages of posts I ended up doing the following. Also for the record my scope was bought in Jan-2019 with 6.1.25.R2 and I had upgraded to 6.1.26 before doing this. (7.1. prefix shows up the FW revision i.s. 7.1.6.1.26)
I did the mem dump technique below and did get the 250M file (thanks to post #54)
SHELLCMD cat /dev/mem > /usr/bin/siglent/usr/mass_storage/U-disk0/memdump.bin
I used the Mac OS "Hex Friend" editor to view the memdump.bin file and initially I thought I wasn't getting it but then it kinda stuck out like a sore thumb exactly as described in post #39 steps 21 - 23. What I'm NOT seeing are the Option codes #38 step 24. I see my serial number in two places but no 16 character strings nearby.
I started to try to use FindKeys but I don't use Visual Studio so not sure what I was doing there. I did a build the FindKeys prj and it did put a bin folder with a FindKeys.DLL and FindKeys.json but I don't understand how to run that... I thought there would a FindKeys.exe file? But Bandwidth was the main thing I wanted to upgrade... I will keep checking back here and maybe try the option codes again later... need a break now haha... Many thanks!